b'                                         September 8, 2006\n\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   AUDIT OF NRC\xe2\x80\x99S PROCESS FOR RELEASING\n                           COMMISSION DECISION DOCUMENTS\n                           (OIG-06-A-22)\n\n\nThis report presents the results of the subject audit. The formal comments\nprovided by your office on August 2, 2006, are presented in their entirety as\nAppendix B to this report. Appendix C contains OIG\xe2\x80\x99s response.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken\nor planned are subject to OIG follow-up as stated in Management Directive 6.1.\n\nIf you have any questions or wish to discuss other issues, please call\nAnthony Lipuma at 415-5910 or me at 415-5915.\n\nAttachment: As stated\n\x0c                     AUDIT REPORT\n\n\n                    Audit of NRC\xe2\x80\x99s Process for Releasing\n                     Commission Decision Documents\n\n                      OIG-06-A-22 September 8, 2006\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                              Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\nEXECUTIVE SUMMARY\n\nBACKGROUND\n\n      The Office of the Inspector General (OIG) became aware of a November\n      2004 staff issue paper to the Commission, commonly known as a SECY\n      Paper, which proposed a new Nuclear Regulatory Commission (NRC) policy\n      for assessing the effectiveness of security measures of material licensees. In\n      the subject SECY Paper, staff expressly requested a \xe2\x80\x9cCommission policy\n      decision\xe2\x80\x9d before proceeding further on a framework for future agency actions.\n      In a subsequent Staff Requirements Memorandum (SRM), the Commission\n      approved the staff\xe2\x80\x99s proposal and the mechanism for implementing the new\n      policy.\n\n      Although it seemed appropriate to inform the public of a proposed new policy,\n      OIG determined that NRC did not inform the public or solicit its comments.\n      Therefore, OIG initiated an audit to examine NRC\xe2\x80\x99s process for making\n      certain Commission decision documents, specifically SECY Papers and\n      SRMs, available for public review and/or comment.\n\nPURPOSE\n\n      The purpose of this audit was to assess the agency\xe2\x80\x99s process for evaluating\n      SECY Papers and SRMs for public release pursuant to relevant legal and\n      regulatory requirements.\n\nRESULTS IN BRIEF\n\n      NRC has a process for handling Freedom of Information Act (FOIA) requests.\n      However, the agency lacks the internal controls needed to ensure compliance\n      with the FOIA automatic disclosure requirements found in 5 U.S.C. 552(a)(1)\n      and (a)(2). Specifically, NRC lacks a systematic process to identify if SECY\n      Papers and SRMs should be released to the public pursuant to FOIA\n      automatic disclosure requirements because:\n\n             \xc2\x83   NRC does not consider these documents to convey policy or other\n                 FOIA automatic disclosure-type material, and\n\n             \xc2\x83   no agency organization is specifically assigned process ownership\n                 of FOIA automatic disclosure responsibilities.\n\n\n\n\n                                           i\n\x0c                             Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n     Absent adequate controls for a systematic review process, the agency may\n     inappropriately withhold decision making documents that meet the threshold\n     for public disclosure. The lack of a rigorous review process jeopardizes\n     NRC\xe2\x80\x99s compliance with FOIA automatic disclosure requirements and\n     hampers the agency\xe2\x80\x99s ability to fully achieve its strategic goal of regulatory\n     openness, thereby undermining public confidence in the agency. Two\n     recommendations were developed in conjunction with this audit. Their\n     implementation, including a systematic review of the agency\xe2\x80\x99s previously\n     unpublished SECY Papers and SRMs, will provide the agency the reasonable\n     assurance needed to report full FOIA compliance.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations\n     (EDO) to 1) develop a program for NRC compliance with FOIA\xe2\x80\x99s automatic\n     disclosure requirements, and 2) conduct a documented 552(a)(1) and (a)(2)\n     review of previously unpublished SECY Papers and SRMs.\n\nOIG Analysis of Agency Comments\n\n     On August 2, 2006, the EDO provided the agency\xe2\x80\x99s formal response to this\n     report stating general disagreement with the report\xe2\x80\x99s finding and conclusions.\n     The agency did agree, in part, to Recommendation 1 but disagreed with\n     Recommendation 2. The agency\xe2\x80\x99s comments are included in their entirety as\n     Appendix B.\n\n     The agency response cites a number of document reviews that ensure the\n     \xe2\x80\x9cNRC operates in compliance with both the letter and the spirit of the\n     automatic disclosure provisions\xe2\x80\x9d of FOIA. However, none of the processes\n     (described on page 5 of their response) specifically addresses how the\n     agency reviews SECY Papers or SRMs to meet these requirements. Thus,\n     the agency fails to support its argument that it fully complies with FOIA\xe2\x80\x99s\n     automatic disclosure requirements.\n\n     No changes were made to this report based on the agency\xe2\x80\x99s response.\n     Because OIG takes exception to a substantial portion of the comments,\n     Appendix C contains OIG\xe2\x80\x99s detailed analysis of the agency\xe2\x80\x99s written\n     response.\n\n\n\n\n                                          ii\n\x0c                   Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       CAN      Citizen\'s Awareness Network\n       DOJ      U.S. Department of Justice\n       EDO      Executive Director for Operations\n       FOIA     Freedom of Information Act\n       NRC      Nuclear Regulatory Commission\n       OGC      Office of the General Counsel\n       OIG      Office of the Inspector General\n       OIS      Office of Information Services\n       OMB      Office of Management and Budget\n       SECY     Office of the Secretary of the Commission\n       SISP     Sensitive Information Screening Project\n       SRM      Staff Requirements Memorandum/Memoranda\n       U.S.C.   United States Code\n\n\n\n\n                                iii\n\x0c   Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                iv\n\x0c                                      Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\nTABLE OF CONTENTS\n\n\n    EXECUTIVE SUMMARY....................................................................................i\n\n    ABBREVIATIONS AND ACRONYMS .............................................................. iii\n\n    I.     BACKGROUND ....................................................................................... 1\n\n    II.    PURPOSE................................................................................................ 7\n\n    III.   FINDING .................................................................................................. 8\n\n           A. NRC LACKS ADEQUATE INTERNAL CONTROLS NEEDED TO ENSURE\n              FOIA COMPLIANCE ............................................................................... 8\n\n    IV.    RECOMMENDATIONS.......................................................................... 19\n\n    V.     AGENCY COMMENTS .......................................................................... 20\n\n\n    APPENDICES\n\n    A. SCOPE AND METHODOLOGY ............................................................... 23\n\n    B. FORMAL AGENCY COMMENTS ............................................................. 25\n\n    C. DETAILED OIG ANALYSIS OF AGENCY COMMENTS .......................... 33\n\n\n\n\n                                                      v\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n             vi\n\x0c                                       Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\nI.    BACKGROUND\n\n                 The Office of the Inspector General (OIG) recently completed a multi-\n                 tier review of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) oversight of\n                 byproduct materials and sealed sources.1 During the course of these\n                 reviews, OIG became aware of a November 2004 staff issue paper to\n                 the Commission (commonly known as a SECY Paper) that proposed a\n                 new NRC policy for assessing the effectiveness of security measures\n                 of material licensees. The proposed new policy established a\n                 \xe2\x80\x9cdecision-making framework\xe2\x80\x9d for vulnerability assessments of materials\n                 licensees to judge the effectiveness of security requirements.\n\n                 In the subject SECY Paper, staff expressly requested a \xe2\x80\x9cCommission\n                 policy decision\xe2\x80\x9d before proceeding further on a framework for future\n                 agency actions. Specifically, the staff requested that consideration of\n                 security event consequences for the proposed framework be limited to\n                 prompt deaths noting that impacts from other consequences such as\n                 economic, environmental and latent deaths were omitted. In a\n                 subsequent Staff Requirements Memorandum (SRM), the Commission\n                 approved the staff\xe2\x80\x99s proposal and the mechanism for implementing the\n                 new policy. Because it seemed appropriate to inform the public of a\n                 proposed new policy, OIG sought to determine if the public was aware\n                 of and had input to the policy. OIG determined that NRC did not inform\n                 the public nor solicited its comments. Therefore, OIG initiated an audit\n                 to examine NRC\xe2\x80\x99s process for making certain Commission decision\n                 documents, specifically SECY Papers and SRMs, available for public\n                 review and/or comment.\n\n                 The Freedom of Information Act of 1966 (FOIA) requires Federal\n                 agencies, including NRC, to make information available to the general\n                 public by request or through automatic disclosure. In addition, NRC\n                 has a tradition of commitment to the principles of openness, fairness\n                 and due process which are embodied in legal, regulatory and\n\n\n\n\n1\n The byproduct review resulted in three audit reports: OIG-06-A-10, Audit of the Development of the National\nSource Tracking System, dated February 23, 2006; OIG-06-A-11, Audit of the NRC Byproduct Materials License\nApplication and Review Process, dated March 10, 2006; and OIG-06-A-12, NRC\'s Oversight of Agreement\nStates\xe2\x80\x99 Licensing Actions, dated April 14, 2006.\n\n                                                     1\n\x0c                                        Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                  procedural requirements that govern policy making. According to\n                  NRC, \xe2\x80\x9cto participate in a meaningful way, the public must have access\n                  to information about the design and operation of regulated facilities and\n                  use of nuclear materials.\xe2\x80\x9d2\n\n                           The Freedom of Information Act 3\n\n                  In enacting the Freedom of Information Act, Congress established the\n                  presumption that any person has the right to submit a written request\n                  for access to records or information maintained by the Federal\n                  Government. In 1996, Congress revised the FOIA statute by passing\n                  the Electronic Freedom of Information Act amendments, which include\n                  provisions for public access to information in an electronic format, as\n                  well as establishment of electronic FOIA reading rooms through\n                  agency FOIA sites on the Internet.\n\n                  FOIA explicitly provides two distinct ways for the public to gain access\n                  to records maintained by Federal agencies: (1) by a FOIA request and\n                  (2) through the less commonly known automatic disclosure\n                  requirements of FOIA (5 U.S.C. 552(a)(1) and (a)(2)).\n\n                           NRC\xe2\x80\x99s Strategic Goal of Openness\n\n                  Ensuring openness in its regulatory process is one of NRC\xe2\x80\x99s five\n                  strategic goals. According to NRC\xe2\x80\x99s FY 2004-2009 Strategic Plan, the\n                  agency\xe2\x80\x99s openness goal explicitly recognizes that the public must be\n                  informed about and have a reasonable opportunity to participate\n                  meaningfully in the agency\'s regulatory processes.4 Among other\n                  things, NRC promotes the following Openness Strategies:\n\n\n\n2\n Regulatory Issue Summary 2005-31, Control of Security-Related Sensitive Unclassified Non-Safeguards\nInformation Handled by Individuals, Firms, and Entities Subject to NRC Regulation of the Use of Source,\nByproduct, and Special Nuclear Material, dated December 22, 2005.\n3\n FOIA, enacted in 1966, is a Federal law set forth in Title 5, Section 552, of the United States Code (5 U.S.C.\n552), as amended. FOIA is a companion to the Privacy Act (5 U.S.C. 552a), enacted in 1974, which balances the\nGovernment\'s need for information about individuals with the need to protect those individuals against\nunwarranted invasions of their privacy by Federal agencies stemming from the collection, maintenance, use, and\ndisclosure of personal information.\n4\n    NRC\xe2\x80\x99s FY 2004-2009 Strategic Plan, GOAL: Ensure Openness in Our Regulatory Process.\n\n\n\n\n                                                      2\n\x0c                  Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n    \xc2\x99 Provide a fair and timely process to allow public involvement in\n      NRC decision-making in matters not involving safeguards,\n      classified, or proprietary information.\n\n    \xc2\x99 Obtain early public involvement on issues most likely to\n      generate substantial interest and promote two-way\n      communication to enhance public confidence in the NRC\'s\n      regulatory processes.\n\n       Commission Level Decision Documents\n\nSECY Papers and SRMs are the primary Commission level documents\nused by the staff and Commission to communicate with each other.\n\n       SECY Papers\n\nThe primary decision making tool of the Commission is the written\nissue paper submitted by the Office of the Executive Director for\nOperations, the Chief Financial Officer, or other offices reporting\ndirectly to the Commission. Policy, rulemaking, and adjudicatory\nmatters, as well as general information, are provided to the\nCommission for consideration in a document style and format\nestablished specifically for the purpose. Such documents are referred\nto as "SECY Papers."\n\nThe following are types of SECY Papers available for staff use\ndepending on its subject matter:\n\n\xc2\x83   Rulemaking Issue papers - promulgation of agency rules;\n\n\xc2\x83   Adjudicatory Issue papers - granting, suspending, revoking, or\n    amending of licenses; and\n\n\xc2\x83   Policy Issue papers - formulation of policy.\n\n\n\n\n                               3\n\x0c                                         Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                            Staff Requirements Memoranda5\n\n                    NRC\'s public website states that Staff Requirements Memoranda,\n                    more commonly known as SRMs, are documentation of the\n                    Commission\'s decision on written issue papers such as a SECY Paper.\n                    SRMs include any:\n\n                    \xe2\x80\xa2   approved modifications to the staff\xe2\x80\x99s recommendation;\n\n                    \xe2\x80\xa2   additional requirements or tasks to be performed by the staff\n                        together with appropriate action due dates and a priority\n                        designation, if appropriate; and\n\n                    \xe2\x80\xa2   exceptions to the immediate public release of the SRM.\n\n\n                            Public Availability of SECY Papers and SRMs\n\n                    NRC\xe2\x80\x99s \xe2\x80\x9cstated\xe2\x80\x9d policy is to immediately release SECY Papers and\n                    SRMs to the public after Commission action is completed unless they\n                    contain specific, limited types of information which warrant protection.\n                    Specifically, NRC\xe2\x80\x99s Internal Commission Procedures6 states that SECY\n                    Papers will be released 10 business days after issuance or receipt by\n                    the Commission. At its discretion, the Commission may authorize\n                    release of a SECY Paper at an earlier time than the normal practice to\n                    allow earlier public access. Conversely, the Commission and staff may\n                    recommend withholding SECY Papers and SRMs using a number of\n                    specific withholding categories. However, the procedures state that\n                    because the Commission\'s stated policy is to release papers whenever\n                    possible, \xe2\x80\x9cthe use of this withholding category should be limited and,\n                    when used, requires solid justification for withholding on a case by\n                    case basis\xe2\x80\x9d [emphasis added].\n\n\n\n\n5\n There are two types of Commission-produced SRMs. In addition to the \xe2\x80\x9cStaff Requirements Memoranda\xe2\x80\x9d\ndiscussed in this section, there are \xe2\x80\x9cMeeting SRMs.\xe2\x80\x9d As indicated, \xe2\x80\x9cMeeting SRMs\xe2\x80\x9d which may or may not be\nrelated to a staff SECY Paper, contain meeting-related information and are generally released to the public.\nBecause \xe2\x80\x9cMeeting SRMs\xe2\x80\x9d do not impact the public in the manner identified in this report, OIG excluded them\nfrom further discussion.\n6\n    NRC\xe2\x80\x99s Internal Commission Procedures, Chapter Il "Decision Documents."\n\n                                                       4\n\x0c                                         Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                              Trends in Disclosing SECY Papers and SRMs7\n\n                   According to information provided to OIG by the Office of the Secretary\n                   of the Commission, there were 2,578 SECY Papers generated at the\n                   NRC from calendar year 1996 through 20058 of which 66 percent were\n                   released to the public. However, Figure 1 indicates an increasing\n                   trend for withholding SECY Papers from 1996 to 2005.\n\n\n                                                       Figure 1\n                                  SECY Paper Release Trend 1996 to 2005\n                                 249     240\n                 250\n                         219\n\n\n                 200                                       174\n                                                                  160\n                                                                          140\n                                                                                   133     127\n                 150\n                                               134\n     SECY                                                                                        113\n     Papers\n                 100\n\n\n\n\n                  50\n\n\n\n                         52       57     66      157       70      71      89      94      110     123\n                   0\n                       1996     1997   1998     1999    2000     2001   2002     2003    2004    2005\n\n            1,689 Released (66%)                       Calendar Year\n\n              889 Withheld (34%)\n\n\n\n\n7\n OIG did not conduct a detailed analysis of the full population of SECY Papers and SRM to determine which\nones should or should not have been released to the public.\n8\n    The 1996 to 2005 SECY Papers were examined to evaluate trends in withholding of SECY documents.\n\n\n\n                                                       5\n\x0c                                          Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                 According to the information provided by the Office of the Secretary of\n                 the Commission and supplemented by the agency\xe2\x80\x99s public website,\n                 NRC issued 1,076 total SRMs from calendar year 2001 through 2005,\n                 of which 859 were SECY-related SRMs. When averaged over the\n                 specified 5-year period, 72 percent of SECY-related SRMs was\n                 withheld from the public.9 Figure 2 reflects a consistent pattern of\n                 withholding the majority of SECY-related SRMs from public release.\n\n\n                                                        Figure 2\n\n                      SECY-Related SRM Release Trend 2001 to 2005\n\n                                160\n\n                                                                       140        138        142\n                                140\n                                                              125\n\n                                 120\n\n\n                                 100\n\n                                                  75\n                         SRMs 80\n\n                                  60\n\n\n                                  40\n\n\n                                   20\n\n                                          57\n                                      0                47       43           50         42\n          239 Released (28%)               2001        2002         2003\n                                                                             2004\n          620 Withheld (72%)                                                            2005\n                                                   Calendar Year\n\n\n\n\n9\n  As previously noted on page 4, \xe2\x80\x9cMeeting SRMs\xe2\x80\x9d do not impact the public in the same manner identified\nthroughout this report. Therefore, OIG excluded \xe2\x80\x9cMeeting SRMs" from consideration in Figure 2. However, if\nfactored into the overall SRM universe, the percentages of SRMs released and withheld from the public become\n42 percent and 58 percent, respectively.\n                                                            6\n\x0c                           Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\nII.   PURPOSE\n\n          The purpose of this audit was to assess the agency\xe2\x80\x99s process for\n          evaluating SECY Papers and SRMs for public release pursuant to\n          relevant legal and regulatory requirements.\n\n          Appendix A provides a detailed description of the audit\xe2\x80\x99s scope and\n          methodology.\n\n\n\n\n                                        7\n\x0c                                  Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\nIII.        FINDING\n\n                 While NRC has a process for handling FOIA requests, the agency\n                 lacks the internal controls needed to ensure compliance with FOIA\xe2\x80\x99s\n                 automatic disclosure requirements. Furthermore, the lack of controls\n                 challenges NRC\xe2\x80\x99s commitment to its strategic goal of openness to\n                 keep the public informed of regulatory matters that affect them.\n\n       A.    NRC Lacks Adequate Internal Controls Needed to Ensure FOIA\n             Compliance\n\n                 NRC lacks adequate internal controls needed to ensure compliance\n                 with FOIA\xe2\x80\x99s \xe2\x80\x9cautomatic disclosure\xe2\x80\x9d requirements. Specifically, NRC\n                 lacks a systematic process to identify if SECY Papers and SRMs\n                 should be released to the public pursuant to FOIA automatic disclosure\n                 requirements because:\n\n                 \xc2\x83   NRC does not consider these documents to convey policy or other\n                     FOIA automatic disclosure-type material, and\n\n                 \xc2\x83   no agency organization is specifically assigned process ownership\n                     of FOIA automatic disclosure responsibilities.\n\n                 Absent adequate controls for a systematic review process, the agency\n                 may inappropriately withhold decision making documents that meet the\n                 threshold for public disclosure. As a result, NRC\xe2\x80\x99s ability to ensure full\n                 compliance with FOIA requirements is subject to challenge.\n                 Furthermore, not providing the public with sufficient information to\n                 understand and participate in NRC\xe2\x80\x99s actions that affect them\n                 compromises the agency\xe2\x80\x99s commitment to regulate in an open and\n                 transparent environment.\n\n                 Internal Control Standards and FOIA Requirements\n\n                 Internal controls are vital to ensure NRC\xe2\x80\x99s compliance with the FOIA\n                 automatic disclosure requirements and to meet the agency\xe2\x80\x99s strategic\n                 goal of openness.\n\n\n\n\n                                               8\n\x0c                                        Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                          OMB Circular A-123\n\n                 The Office of Management and Budget (OMB) Circular A-123,\n                 Management\xe2\x80\x99s Responsibility for Internal Control, cites three objectives\n                 of internal controls, one of which is to ensure compliance with\n                 applicable laws and regulations. OMB Circular A-123 prescribes that\n                 agency internal controls include the plan of organization, methods and\n                 procedures adopted by management to ensure its goals are met.\n\n                          FOIA Automatic Disclosure Requirements [552(a)(1) and\n                          (a)(2)]\n\n                 The FOIA acknowledges that agencies need to strike a balance\n                 between broad disclosure of government information and protection of\n                 public interest and national security. Nonetheless, FOIA subsections\n                 552(a)(1) and (a)(2) require automatic disclosure of documents which\n                 impact the public and have the \xe2\x80\x9cforce and effect of law.\xe2\x80\x9d10\n\n                 The U.S. Department of Justice (DOJ) cautioned Federal agencies to\n                 be mindful of their statutory obligations under subsections 552(a)(1)\n                 and (a)(2) as they administer FOIA programs that deal overwhelmingly\n                 with subsection (a)(3) FOIA requests. According to DOJ guidance,\n                 agencies need to remember that the information and records\n                 encompassed by FOIA\'s first two subsections must be "automatically\n                 available for public inspection; no demand is necessary.\xe2\x80\x9d Subsections\n                 552(a)(1) and (a)(2) are sometimes referred to as FOIA\xe2\x80\x99s \xe2\x80\x9cpublication\xe2\x80\x9d\n                 and \xe2\x80\x9creading room\xe2\x80\x9d requirements.\n\n                          Publication Requirements\n\n                 5 U.S.C. subsection 552(a)(1)(A-E) deal with the publication of agency\n                 information and requires each agency to publish a range of basic\n                 information regarding its structure and operations in the Federal\n                 Register for the guidance of the public. This FOIA subsection explicitly\n                 provides that no person may be "adversely affected" by any agency\n                 action as a result of an agency\'s failure to meet its publication\n                 obligations. 11\n\n\n10\n FOIA Update Vol. XIII No. 3, The \xe2\x80\x9cAutomatic\xe2\x80\x9d Disclosure Provisions of FOIA: Subsections (a)(1) & (a)(2), dated\n1992 [NLRB v. Sears, Roebuck & Co., 421 U.S. 132, 153 (1975) (quoting H.R. Rep. No. 1497, 89th Cong., 2d\nSess. 7 (1966))].\n11\n FOIA Update Vol. XIII No. 3, The \xe2\x80\x9cAutomatic\xe2\x80\x9d Disclosure Provisions of FOIA: Subsections (a)(1) & (a)(2), dated\n1992.\n                                                       9\n\x0c                                        Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                          Reading Room Requirements\n\n                 5 U.S.C. 552 subsections (a)(2)(A)-(C) provide what is commonly\n                 referred to as "reading room" access and applies to the types of\n                 agency records that, while not automatically published, should\n                 routinely be available to the public. As noted by a former U.S. Attorney\n                 General, \xe2\x80\x9creading room\xe2\x80\x9d requirements require disclosure by agencies\n                 of what might otherwise be regarded as an agency\xe2\x80\x99s \xe2\x80\x9csecret law.\xe2\x80\x9d12\n\n                 Through these subsections FOIA seeks to prevent agencies from\n                 attempting to make binding that which has not been disclosed to the\n                 public.\n\n                 Scope of Documents Subject to FOIA 552(a)(1) and (a)(2)\n\n                 Specifically, FOIA subsection 552(a)(1) requires each agency to\n                 publish, among other things, information regarding its "organization,"\n                 "functions," "rules of procedure," "substantive rules" and "statements of\n                 general policy" in the Federal Register for the guidance of the public.\n                 In addition, the groups of documents listed below are subject to FOIA\xe2\x80\x99s\n                 (a)(2) reading room requirements. The types of information referenced\n                 in this section shall be made \xe2\x80\x9cavailable for public inspection and\n                 copying --\n\n                 (A)      final opinions, including concurring and dissenting opinions, as\n                          well as orders, made in the adjudication of cases;\n\n                 (B)      those statements of policy and interpretations which have been\n                          adopted by the agency and are not published in the Federal\n                          Register [emphasis added];\n\n                 (C)      administrative staff manuals and instructions to staff that affect a\n                          member of the public;\n\n                 (D)      copies of all records, regardless of form or format, which have\n                          been released to any person under paragraph (3) and\n\n\n\n\n12\n  FOIA Update, Vol. XIII No. 3, Automatic Disclosure Provisions of FOIA: Subsections (a)(1) & (a)(2); Attorney\nGeneral\xe2\x80\x99s Memorandum on the 1974 Amendments to the Freedom of Information Act, US Department of Justice,\n(February 1975).\n\n                                                     10\n\x0c                                       Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                         which, because of the nature of their subject matter, the agency\n                         determines have become or are likely to become the subject of\n                         subsequent requests for substantially the same records; and\n\n                 (E)     a general index of the records referred to under subparagraph\n                         (D).\xe2\x80\x9d\n\n                 In addition, all \xe2\x80\x9creading room\xe2\x80\x9d records must be indexed to provide\n                 identifying information for the public. In this regard, FOIA specifically\n                 states:\n\n                 \xe2\x80\x9cA final order, opinion, statement of policy, interpretation, or staff\n                 manual or instruction that effects a member of the public may be relied\n                 on, used, or cited as precedent by an agency against a party other\n                 than an agency only if \xe2\x80\x93\n\n                           (i)      it has been indexed and either made available or\n                                    published as provided by this paragraph; or\n\n                           (ii)     the party has actual and timely notice of the terms\n                                    thereof.\xe2\x80\x9d13\n\n                 \xc2\xbe NRC Lacks a FOIA Review Process for SECY Paper/SRM\n                   Release\n\n                 Representatives from NRC\xe2\x80\x99s Offices of the Secretary of the\n                 Commission and General Counsel (OGC) state that procedures are in\n                 place for determining which SECY Papers and SRMs are released,\n                 and conversely, withheld. While OIG recognizes that some procedures\n                 are in place describing how to prepare SECY Papers and SRMs, the\n                 agency\xe2\x80\x99s existing guidance provides no evaluation criteria for public\n                 release determinations for SECY Papers and SRMs pursuant to the\n                 automatic disclosure requirements of FOIA [i.e., 552(a)(1) and (a)(2)].\n                 Without an established process for compliance with FOIA\n                 requirements, the agency risks the likelihood that documents have\n                 been withheld from public disclosure which if properly reviewed would\n                 have been made available.\n\n\n\n\n13\n  FOIA Update, Vol. XVII, No. 4, The Freedom of Information Act, 5 U.S.C. 552, As Amended by Public Law No.\n104-231, 110 Stat. 3048 (1996).\n                                                    11\n\x0c                 Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\nReview of Agency Guidance for Designation of 552(a)(1) and (a)(2)\nResponsibilities\n\nThere should be a clear, formal process for assessing whether a\ndocument should or should not be released to the public while\nexpressing a need for balance between protecting public openness (an\nagency goal) and common defense and security (the agency\xe2\x80\x99s\nmission). OIG reviewed the entire index of NRC management\ndirectives and manual chapters to identify any documents that address\nFOIA requirements, specifically the public release of documents.\nAlthough references to FOIA activities were found, none of the internal\nguidance documents at the time of our review designated a person or\ngroup responsible for a process designed to identify documents\nsubject to 552(a)(1) or (a)(2) automatic release, the subsequent\nredaction review of such documents, their release in whole or part, or\nthe required indexing.\n\nIn a March 2006 revision to NRC\xe2\x80\x99s Management Directive 3.1,\nFreedom of Information Act, the Director of the Office of Information\nServices (OIS) was identified with responsibilities for ensuring that a\n\xe2\x80\x9cprogram to administer the FOIA and the PA [Privacy Act] is effectively\nimplemented within NRC.\xe2\x80\x9d OIS also has responsibility for managing\nthe NRC web site that allows the public to inspect and copy records as\nrequired by subsection (a)(2) of FOIA. However, OIG notes that this\nManagement Directive does not identify who in the agency has\nresponsibility for developing or implementing a process that defines\nwhat documents should be reviewed for FOIA automatic disclosure\ncompliance and what criteria to apply during such a review.\n\nWith the public\'s need to know as its premise, FOIA guidance states\nthat agency information that affects the public must be subject to the\nautomatic disclosure requirements of subsections 552(a)(1) and (a)(2).\nAnd, while many Commission decision documents direct the staff\nregarding purely internal agency operations, this is not exclusively the\ncase. As a result, some SECY Papers and SRMs which ultimately\naffect the public are withheld from automatic disclosure without being\nsubject to a FOIA review.\n\nNo Systematic Review for 552(a)(1) and (a)(2) Compliance\n\nAccording to OGC officials, SECY Papers and SRMs do not contain\nthe type of information subject to FOIA\xe2\x80\x99s automatic disclosure\nrequirements, and therefore, do not need to be reviewed for public\n                            12\n\x0c                  Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nrelease. Consequently, no process exists for conducting a systematic\nreview of SECY Papers or SRMs pursuant to FOIA automatic\ndisclosure requirements. The decision to make some SECY Papers\nand SRMs available to the public while others are withheld depends on\nthe judgment of individuals rather than a systematic review process.\n\nNRC\xe2\x80\x99s Internal Commission Procedures and management directives\nprovide guidance and procedures for the preparation and distribution of\nSECY Papers and SRMs. The internal guidance does not provide\nevaluation criteria needed to determine if in fact these decision\ndocuments contain material subject to FOIA\xe2\x80\x99s automatic disclosure\nrequirements. In other words, the guidance discusses \xe2\x80\x98who\xe2\x80\x99 is\nresponsible for ensuring a review takes place, but not \xe2\x80\x98how\xe2\x80\x99 or \xe2\x80\x98what\xe2\x80\x99 to\nmeasure regarding the substance or sensitivity of the content. For\nexample,\n\n\xc2\x83   NRC\xe2\x80\x99s Internal Commission Procedures states that the Office of the\n    Secretary will adopt the sensitivity markings of the source SECY\n    Paper for the associated SRM and subsequently treat the release\n    of both documents accordingly. However, the procedures do not\n    include a requirement to evaluate the accuracy or appropriateness\n    of a SECY Paper\xe2\x80\x99s markings or whether the SRM should be\n    handled differently for release purposes.\n\n\xc2\x83   Similarly, while Management Directive 3.4, Release of Information\n    to the Public, identifies that staff (in each NRC program office) is\n    responsible for conducting releasability reviews, it does not define\n    the criteria to be used for such a review and specifically says, in\n    part, that \xe2\x80\x9cthis directive does not govern public disclosure of\n    information required by or requested under FOIA.\xe2\x80\x9d\n\nThe inherent risk in relying on individuals rather than a defined process\nis that individuals may use differing or inaccurate criteria to assess the\nsensitivity of the document which ultimately determines the\nreleasability of SECY Papers and SRMs.\n\n\xc2\xbe NRC Does Not Consider SECY Papers/SRMs Subject to\n  Automatic Disclosure\n\nAccording to agency managers and attorneys, SECY Papers and\nSRMs are only intended to provide guidance, clarifications and\ninstructions to staff which do not affect the public. For these reasons,\nagency officials take the position that neither of these type documents\nrequires a review for 552(a)(1) or (a)(2) subject matter. This position\n                             13\n\x0c                  Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\neffectively establishes a \xe2\x80\x9csafe harbor\xe2\x80\x9d from the requirements of FOIA\nautomatic disclosure whereby compliance is never at issue. However,\nthere is no documented agency legal position and the agency did not\ncite any legal authority in support of this position.\n\nThe agency\xe2\x80\x99s \xe2\x80\x9csafe harbor\xe2\x80\x9d approach to compliance hinges on the\nclaim that SECY Papers and SRMs do not exceed their intended use\nof providing guidance, clarifications and instructions to the staff that do\nnot adversely affect the public. However, OIG identified that some\nSECY Papers and SRMs withheld from the public appear to satisfy the\nFOIA disclosure criteria under 552(a)(1) or (a)(2), including impacting\nthe public. These documents contain regulatory interpretations,\ninstructions to the staff, and statements of agency policy - each a type\nof FOIA information subject to automatic release to the public. Yet,\nNRC has not identified any internal controls that provide direction to\nstaff members developing SECY Papers and SRMs to ensure that the\ninformation included in these documents does not exceed their\nintended use as described above.\n\nAccording to OGC, the lead agency for providing guidance on\ngovernment FOIA procedures and policy is the Department of Justice.\nTherefore, OIG contacted a DOJ attorney who is a recognized\nauthority on 5 U.S.C. 552(a)(2) to discuss the status of SECY Papers\nand SRMs. The DOJ representative stated that it is problematic that\nNRC has predetermined that FOIA automatic disclosure requirements\ndo not apply to a large class of documents (i.e., SECY Papers and\nSRMs) without a thorough review. As pointed out by DOJ, automatic\ndisclosure requirements are applicable based on the statutory criteria,\nregardless of the titles the NRC has chosen for these documents.\n\nDOJ\xe2\x80\x99s brief review of NRC\xe2\x80\x99s website index of SECY Papers and SRMs\nrevealed that these documents cover a large range of topics, including\nseveral that appeared to be \xe2\x80\x9cinstructions to the staff\xe2\x80\x9d or policy\nstatements (i.e., material possibly subject to automatic disclosure).\nAccording to the DOJ representative, the clearest basis of compliance\nwith FOIA would require a case-by-case review of SECY Papers and\nSRMs to determine 552(a)(2) applicability, or alternatively, designation\nof 552(a)(2) status by document authors (once trained on applicable\nstandards) at the time of document creation. But, at a minimum, NRC\nwould benefit from some type of screening process for SECY Papers\nand SRMs.\n\nIn addition, there is at least one other class of agency documents\nexempted from public disclosure without a specific FOIA request,\n                               14\n\x0c                                        Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                 regardless of potential impact to the public. Per Commission directive,\n                 and similar to SECY Papers and SRMs, agency documents marked\n                 sensitive \xe2\x80\x9csecurity-related information\xe2\x80\x9d are automatically unavailable\n                 for public view without benefit of a review pursuant to FOIA criteria for\n                 automatic disclosure.14\n\n                 Practice and Treatment Inconsistent with \xe2\x80\x9cSafe Harbor\xe2\x80\x9d Claim\n\n                 Although NRC has adopted the position that SECY Papers and SRMs\n                 are not subject to FOIA automatic disclosure, a 1994 court case\n                 renders that position questionable. In the court case, NRC\n                 acknowledged that SECY Papers and SRMs do contain interpretations\n                 and policy changes, FOIA automatic disclosure-type material as\n                 identified in 5 U.S.C. 552(a)(1) and (a)(2).\n\n                 The above referenced court case provides one of the most notable\n                 examples of the agency\xe2\x80\x99s varied uses of SECY Papers and SRMs.\n                 The specifics follow:\n\n                 \xc2\xbe In a 1994 lawsuit,15 the Citizen\xe2\x80\x99s Awareness Network (CAN)\n                   appealed an NRC denial of a petition to the First Circuit Court on\n                   the grounds that the issues presented in a series of Commission\n                   documents, specifically SRMs, should have been subject to NRC\n                   hearings. In its argument before the First Circuit, agency attorneys\n                   took the position that the subject SRMs were policy changes or\n                   \xe2\x80\x9cinterpretations of its [NRC\xe2\x80\x99s] own regulations\xe2\x80\x9d [emphasis added].\n                   As such, NRC attorneys argued that the agency was entitled to\n                   great deference and that hearings did not apply to these types of\n                   actions.\n\n                 \xc2\xbe The court agreed with the NRC characterization of the SRMs as\n                   changes in policy or interpretations of agency regulations.\n                   However, the court also found that these changes in policy\n                   effectively constituted rulemaking, were \xe2\x80\x9carbitrary and capricious,\xe2\x80\x9d\n\n\n\n14\n   Memorandum, A. Vietti-Cook to L. Reyes and K. Cyr, re: Staff Requirements \xe2\x80\x93 SECY-05-0101, Withholding\nfrom Public Disclosure Sensitive Unclassified Information Concerning Materials Licensees and Certificate\nHolders, dated October 7, 2005.\n15\n  Citizen\xe2\x80\x99s Awareness Network, Inc., Petitioner, v. U.S. Nuclear Regulatory Commission, Respondent, and\nYankee Atomic Electric Company, Intervenor. No. 94-1562, U.S. Court of Appeals for the First Circuit; Decided\nJuly 20, 1995.\n\n\n\n                                                     15\n\x0c                 Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nand not in accordance with the hearing requirements of the Atomic\nEnergy Act (42 U.S.C. \xc2\xa7 2239(a)(1)(A)). The court remanded the\nmatter back to the agency in accordance with notice and comment\nrequirements.\n\nThe SRMs referenced in the above case (and their associated SECY\nPaper) dealt with allowing licensees to start decommissioning work\nprior to approval of a decommissioning plan, something the court found\nto have a clear effect on the public. As policy statements or\ninterpretations that affect the public, these documents should be\nsubject to FOIA automatic disclosure. Thus, as early as 1995, the\nagency acknowledged that SECY Papers and SRMs can contain\nstatements of NRC policy and interpretations.\n\n       Recent SECY Paper and SRM Contain Policy\n\nNRC SECY Papers and SRMs continue to have apparent policy\nimplications. As previously noted in this report, during an ongoing\naudit OIG learned of a November 2004 SECY Paper and its associated\nSRM which established a new NRC policy for assessing the\neffectiveness of licensees\xe2\x80\x99 security measures, an issue that has\neventual impact on the public. In the subject SECY Paper, staff\nrequested that consideration of the impacts of security event\nconsequences be limited to prompt deaths. The staff noted that other\nconsequences such as economic and environmental impacts and\nlatent deaths were omitted from consideration when developing the\nproposed decision-making framework. In their SRM response, the\nCommission approved the staff\xe2\x80\x99s proposed new framework and a\nmechanism for use in implementing the new policy.\n\nA subsequent SECY Paper, dated March 1, 2006, documented the\nagency\xe2\x80\x99s extensive use of the mechanism (i.e., a decision matrix)\npresented in the approved decision-making framework to evaluate the\nsecurity vulnerability of various materials and research and test reactor\nlicensees. This March 2006 SECY Paper communicated the results of\nthe initial assessments to the Commission, stating in part:\n\nThe staff used the Commission-approved decision making framework\nto evaluate the results which indicated that the security measures\nalready taken by the Commission are sufficient to ensure adequate\nprotection of the public and promote common defense and security.\nThe results also indicated that some select enhancements to NRC\xe2\x80\x99s\nregulatory framework may be warranted [emphasis added].\n\n                             16\n\x0c                  Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nThe above statement clearly indicates that the NRC staff adopted and\nimplemented the new criteria presented in the November 2004 SECY\nPaper. The statement also demonstrates the impact on the public.\nThe decision-making framework and the subsequent evaluation results\nregarding the adequacy of regulatory requirements were\ncommunicated through the subject SECY Papers and SRM thereby\nconstituting either policy or instructions to staff, both which affect the\npublic. Therefore, evidence indicates that the SECY Papers and SRM\ndiscussed above meet the criteria for automatic disclosure in whole or\nin part pursuant to 5 U.S.C. 552 (a)(2).\n\n\xc2\xbe Inadequate Controls Lead to Uncertain FOIA and Openness\n  Compliance\n\nAs described earlier, SECY Papers and SRMs lack the appropriate\nreviews to determine whether individual documents should be\nautomatically disclosed pursuant to 552(a)(1) or (a)(2). OIG did not\nconduct a comprehensive inventory or review to determine whether\nother NRC documents may be missing the same disclosure reviews.\nHowever, evidence indicates that other examples exist leading to a\nlevel of uncertainty regarding the agency\xe2\x80\x99s compliance with FOIA and\nits own strategic goal for open, transparent regulation. For example, a\n2005 Commission SRM directed staff to automatically exclude from\npublic release another entire class of documents marked as \xe2\x80\x9csensitive\nsecurity information\xe2\x80\x9d without a systematic review to validate the\nsensitive treatment.\n\nAs one Commissioner recently stated, there are a couple of classes of\ninformation (i.e., documents marked as sensitive internal and sensitive\nsecurity-related) that at least need to be reviewed on a periodic basis\nto better insure that the agency is making the right determination about\nwhat gets marked [for public release] and what doesn\'t. However, to\ndate, similar to SECY Papers and SRMs, there is no review of these\nclasses of information for FOIA automatic disclosure considerations.\n\nSummary/Conclusion\n\nNRC internal controls pertaining to FOIA\xe2\x80\x99s automatic disclosure\nrequirements are inadequate. Specifically, NRC lacks a defined review\nprocess applicable to SECY Papers and SRMs to ensure full\ncompliance with FOIA requirements because they are considered \xe2\x80\x9csafe\nharbor\xe2\x80\x9d documents. In addition, no organizational unit within the\n                              17\n\x0c                 Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nagency has been clearly identified with ownership of a process\ndesigned to ensure agency documents are properly reviewed for FOIA\nautomatic disclosure compliance. As a result, SECY Papers and\nSRMs are designated for public release by individual determination\nrather than by a systematic evaluation for applicability of FOIA\nautomatic disclosure requirements. The inherent risk in relying on\nindividuals rather than a defined process is that individuals may use\ndiffering criteria to assess the sensitivity and releasability of the\ndocument.\n\nHistorically, NRC has made SECY Papers and SRMs available to the\npublic at its discretion. Numerous SECY Papers and SRMs are\navailable for public view on the agency\xe2\x80\x99s website. However, as of the\ndate of this report, there is an extensive collection of SECY Papers and\nSRMs that have not been reviewed for public availability per FOIA\n552(a)(1) and (a)(2) because they were marked as \xe2\x80\x9csensitive\xe2\x80\x9d\ninformation. As the CAN court case illustrates, NRC used a SECY\nPaper and SRMs to convey policy which, by affecting the public, meets\nthe threshold for FOIA automatic disclosure. A recent set of related\nSECY Papers and SRMs contain policy and/or staff instructions which\naffect the public, thereby meeting the automatic disclosure\nrequirements. However, these unclassified documents have not been\ndisclosed to the public.\n\nSince 1995, NRC has had direct evidence that its \xe2\x80\x9csafe harbor\xe2\x80\x9d\nposition on SECY Papers and SRMs is questionable. Yet the agency\nhas taken no action to institute a review process (internal controls) to\nensure public notification as required by law. Therefore, NRC fails to\nmeet one of the primary objectives of internal controls as stated in\nOMB Circular A-123: reasonable assurance of NRC\xe2\x80\x99s compliance with\nlaws and regulations.\n\nNRC lacks the internal controls to determine whether SECY Papers\nand SRMs meet the specific requirements for FOIA compliance. As a\nresult, the agency has exempted an entire class of documents without\nan adequate review process or documented justification for\nwithholding. The lack of a rigorous review process jeopardizes NRC\xe2\x80\x99s\ncompliance with FOIA automatic disclosure requirements and hampers\nthe Commission\xe2\x80\x99s ability to fully achieve its strategic goal of regulatory\nopenness, thereby undermining public confidence in the agency.\n\n\n\n\n                             18\n\x0c                         Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\nIV.   RECOMMENDATIONS\n\n         OIG recommends that the Executive Director for Operations:\n\n         1.   Develop a program for NRC compliance with FOIA\xe2\x80\x99s automatic\n              disclosure requirements.\n\n         2.   Conduct a documented FOIA 552(a)(1) and (a)(2) review of\n              previously unpublished SECY Papers and SRMs.\n\n\n\n\n                                     19\n\x0c                         Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\nV.   AGENCY COMMENTS\n\n        On June 20, 2006, OIG issued its draft report to the Executive Director\n        for Operations. OIG subsequently met with managers from the Office\n        of the Secretary of the Commission regarding data on the public\n        release of SRMs and clarified the final report as appropriate.\n\n        On August 2, 2006, the EDO provided the agency\xe2\x80\x99s formal response to\n        this report stating disagreement with the report\xe2\x80\x99s finding and\n        conclusions. The agency agreed, in part, to Recommendation 1 which\n        calls for development of a program designed to ensure SECY Papers\n        and SRMs are reviewed against criteria presented in FOIA\xe2\x80\x99s automatic\n        disclosure sections (i.e., 552(a)(1) and (a)(2)). However, the agency\n        disagreed with Recommendation 2 to perform a documented 552(a)(1)\n        and (a)(2) review of previously unpublished SECY Papers and SRMs.\n        The agency\xe2\x80\x99s comments are included in their entirety as Appendix B.\n\n        The central message of OIG\xe2\x80\x99s report is that the agency lacks the\n        internal controls to review SECY Papers and SRM documents to\n        ensure compliance with FOIA\xe2\x80\x99s automatic disclosure requirements.\n        OMB Circular A-123 emphasizes that effective internal controls provide\n        a basis for reasonable assurance of compliance with legal\n        requirements. Conversely, ineffective management controls eliminate\n        an agency\xe2\x80\x99s reasonable assurance of compliance with legal\n        requirements. The agency response cites a number of document\n        reviews; however, none of these processes provides for a review of\n        SECY Papers or SRMs against FOIA\xe2\x80\x99s automatic disclosure\n        requirements. Therefore, the agency reviews do not provide\n        reasonable assurance of compliance with the legal requirements of\n        FOIA automatic disclosure.\n\n        The agency response also implies that the large number of documents\n        that NRC makes public is evidence of compliance and caused\n        confusion on the part of the OIG regarding discretionary release. In\n        this regard, the agency response cites an example of non-compliance\n        but asserts, without evidence, that such an example would be rare.\n\n        In summary, the agency failed to support its argument that it fully\n        complies with FOIA\xe2\x80\x99s automatic disclosure requirements. OIG\n        reiterates it\xe2\x80\x99s finding that NRC lacks the internal controls needed to\n        reasonably assure full compliance with FOIA and the agency\xe2\x80\x99s own\n        openness policy.\n\n\n                                     20\n\x0c                Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nNo changes were made to this report based on the agency\xe2\x80\x99s response.\nAppendix C contains OIG\xe2\x80\x99s detailed analysis of the agency\xe2\x80\x99s formal\ncomments.\n\n\n\n\n                            21\n\x0c   Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               22\n\x0c                        Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                                                                             Appendix A\nSCOPE AND METHODOLOGY\n\n       During a previous audit, NRC identified an issue regarding the\n       agency\xe2\x80\x99s apparent use of a SECY Paper and SRM to effect a change\n       in NRC policy. OIG determined that the SECY Paper and related SRM\n       in question were not vetted in a public forum although they represent a\n       policy change. Because SECY Papers and SRMs historically cover a\n       broad range of information, it is important to ensure that they are\n       properly reviewed to ensure all applicable regulatory requirements are\n       met.\n\n       The purpose of this audit was to:\n\n       \xc2\x99 assess the agency\xe2\x80\x99s process for evaluating SECY Papers and\n         SRMs for public release pursuant to relevant legal and regulatory\n         requirements\n\n       To address the audit objective, OIG reviewed relevant management\n       controls, related documentation, and Federal statutes, including\n       reviews of:\n\n       \xc2\xbe     Management Directives and Manual Chapters\n       \xc2\xbe     The Freedom of Information Act\n       \xc2\xbe     OMB Circular A-123\n       \xc2\xbe     GAO\xe2\x80\x99s Internal Control Standards\n       \xc2\xbe     SECY Papers and related SRMs\n       \xc2\xbe     Code of Federal Regulations, Title 10\n       \xc2\xbe     NRC\xe2\x80\x99s public website\n\n       Auditors conducted interviews with agency and other Federal\n       individuals, including:\n\n       \xc2\xbe     Headquarters\xe2\x80\x99 senior managers and staff from the Offices of:\n             \xe2\x80\xa2 the Commission,\n             \xe2\x80\xa2 the Secretary of the Commission,\n             \xe2\x80\xa2 the General Counsel,\n             \xe2\x80\xa2 Information Services,\n             \xe2\x80\xa2 Nuclear Reactor Regulation,\n             \xe2\x80\xa2 Nuclear Security and Incident Response, and\n             \xe2\x80\xa2 Nuclear Material Safety and Safeguards\n\n\n\n                                    23\n\x0c                Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\xc2\xbe     Department of Justice\n\nOIG conducted this audit between November 2005 and March 2006 in\naccordance with generally accepted Government auditing standards\nand included a review of management controls related to the objective\nof this audit. The major contributors to this report were Anthony\nLipuma, Team Leader; Catherine Colleli, Audit Manager; Michael\nCash, Senior Technical Advisor, and James McGaughey, Senior\nManagement Analyst.\n\n\n\n\n                            24\n\x0c                 Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                                                                       Appendix B\nFORMAL AGENCY COMMENTS\n\n\n\n\n                             25\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n            26\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n            27\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n            28\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n            29\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n            30\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n            31\n\x0cAudit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\n\n            32\n\x0c                         Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n                                                                              Appendix C\nDETAILED OIG ANALYSIS OF AGENCY COMMENTS\n\n        On June 20, 2006, OIG issued its draft report to the Executive Director\n        for Operations. OIG subsequently met with managers from the Office\n        of the Secretary of the Commission regarding data on the public\n        release of SRMs and clarified the final report as appropriate. On\n        August 2, 2006, the EDO provided a formal response to this report\n        (see Appendix B).\n\n        Below is OIG\xe2\x80\x99s detailed analysis of the agency\xe2\x80\x99s formal comments.\n        Page numbers referenced correspond to those in the agency response\n        included as Appendix B.\n\n        Overview\n\n        OIG\xe2\x80\x99s central message is that the agency does not have a process\n        mechanism (internal controls) to review SECY Papers and SRM\n        documents to determine whether they are subject to FOIA automatic\n        disclosure under 552(a)(1) and (a)(2). Absent such a process, the\n        agency lacks reasonable assurance, as specified in OMB Circular A-\n        123, that it fully complies with FOIA\xe2\x80\x99s automatic disclosure\n        requirements.\n\n        The OIG report also questions the agency\xe2\x80\x99s categorical exemption of\n        SECY Papers and SRMs from FOIA automatic disclosure\n        consideration. This exemption was asserted repeatedly by the Office\n        of the General Counsel during our audit. However, the EDO\xe2\x80\x99s\n        response acknowledges that a categorical exclusion is inappropriate\n        and that no specific procedure currently exists for conducting FOIA\n        automatic disclosure reviews of SECY Papers and SRMs.\n\n        The agency\xe2\x80\x99s response further implies that a document marking\n        practice satisfies the FOIA automatic disclosure review requirements.\n        Yet, no explanation or basis as to how marking documents as \xe2\x80\x9cmay be\n        exempt from release\xe2\x80\x9d satisfies the FOIA requirement that the\n        documents be reviewed to determine whether any portion of a\n        document is releasable. The agency, therefore, has no basis upon\n        which to assert full compliance with FOIA automatic disclosure\n        requirements based on the review discussed in its response.\n\n\n\n\n                                     33\n\x0c                               Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n             In summary, OIG remains convinced that NRC lacks the internal\n             controls needed to ensure full compliance with FOIA\xe2\x80\x99s automatic\n             disclosure requirements and the agency\xe2\x80\x99s own openness policy.\n             Therefore, no changes have been made to the report based on the\n             agency\xe2\x80\x99s formal comments.\n\nNRC Comment on Page 1, Paragraph 1\n\n\xe2\x80\x9cThis memorandum will not specify the statistical data errors on release of\nCommission decision documents in the draft report; those have been addressed\nseparately with the OIG audit team by the Secretary of the Commission (SECY).\xe2\x80\x9d\n\n\nOIG Response\nOIG met with managers in the Office of the Secretary of the Commission to clarify\nthe statistics on the release of SRMs. The SECY staff concurred with the total\nnumbers of SRMs issued, but disagreed with the percentage of SRMs released to\nthe public because "Meeting SRMs," which are available but not identified on the\npublic "SRM" index, were not reflected in the draft report\xe2\x80\x99s SRM chart. If factored in\nthe totals, the overall percentage of SRMs withheld from the public drops from 78%\nto 58%. However, Meeting SRMs do not carry the same significance as SRMs\nrelated to SECY Papers. Therefore, to provide a more accurate understanding of\nthe public availability of SRMs which may have impact on the public (i.e., SECY-\nrelated SRMs), OIG\'s audit report will NOT reflect the population of Meeting SRMs.\nAs a result, OIG\xe2\x80\x99s report was revised to state that 72% of SECY-related SRMs were\nwithheld from the public over the period 2001-2005.\n\n\nNRC Comment on Page 2, Paragraphs 1 and 2\n\nThe agency states that the subject SECY Paper, and related SRM, was classified\nand therefore withheld from public disclosure on the basis of FOIA exemptions 2 and\n5.\n\nOIG Response\nWith respect to application of the FOIA exemption, the SRM contains a marking on\nthe cover that states inter alia, \xe2\x80\x9cOFFICIAL USE ONLY May be Exempt from public\nrelease under the Freedom of Information Act (5 U.S.C. 552) Exemption number[sic]\n2, 5 Nuclear Regulatory Commission review required before public release.\xe2\x80\x9d\n(emphasis added)\n\n\n\n\n                                           34\n\x0c                               Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nDuring our audit, OIG determined that the subject SECY Paper itself was not\nclassified; only three of the six SECY Paper attachments were classified documents.\nThe SECY Paper states that it is an \xe2\x80\x9cOFFICIAL USE ONLY\xe2\x80\x9d document upon\nseparation from the three classified attachments. The decision-making framework\n(attachment 2) also was not a classified document. Therefore, the classification\nstatus of the attachments is not relevant to the SECY Paper, its three unclassified\nattachments, or the related SRM. As a result, given the agency\xe2\x80\x99s own Internal\nCommission Procedure requirements, it appears that the SECY Paper and SRM\nshould have been released to the public. Furthermore, under 552(a)(1) and (a)(2)\nrequirements (i.e., FOIA automatic disclosure), the classified attachments should\nhave been reviewed and released in redacted form, if possible.\n\nOIG notes that markings are added to documents in anticipation of a potential FOIA\nrequest to alert a FOIA reviewer of the potential for non-releasable material. These\nmarkings do not represent a determination as to the ultimate disposition of the\ndocument. If these documents were requested under FOIA, then a detailed review\nwould occur to determine whether any \xe2\x80\x9creasonably segregable portion\xe2\x80\x9d could be\nreleased under FOIA. This review is mandated by FOIA and is incorporated into\nManagement Directive 3.1 which governs FOIA procedures for requested\ndocuments. There is no detailed procedure for review of FOIA automatic disclosure\nmaterials for reasonably segregable portion release. The marking process does not\naccomplish this statutorily required purpose.\n\n\nNRC Comment on Top of Page 4\n\nThe agency states that the draft audit report is \xe2\x80\x9cundermined by the lack of citation to\ncomparable documents being considered (a)(2) records by other federal agencies\xe2\x80\x9d\nand that DOJ\xe2\x80\x99s failure to include documents similar to SECY Papers and SRMs in its\nown reading room \xe2\x80\x9cis instructive.\xe2\x80\x9d\n\nOIG Response\nOIG does not dispute that a large volume of documents are publicly available on\nNRC\xe2\x80\x99s website and OIG did credit the agency for the organizational structure of the\nFOIA website. However, OIG also noted concerns about the withholding of SECY\nPapers and SRMs from this website. In addition, the EDO\xe2\x80\x99s comments do not\nexplain the means for determining what other Federal agency documents would be\n\xe2\x80\x9ccomparable.\xe2\x80\x9d The practice of other agencies was not the subject of OIG\xe2\x80\x99s review.\n\n\n\n\n                                           35\n\x0c                               Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nNRC Comments on Page 4, last paragraph and Page 5, Paragraphs 1 and 2\n\nThe agency\xe2\x80\x99s response states that \xe2\x80\x9cinformed reviews for public release of these\npapers are accomplished in accordance with carefully considered criteria by those in\nthe best position to make such assessments\xe2\x80\x9d and \xe2\x80\x9cin conformance with long-\nstanding practice, the creator of the document makes an initial assessment of\nsuitability for public release, in consultation with technical experts or appropriate\nadvisers, as necessary.\xe2\x80\x9d Summarizing, the agency states that \xe2\x80\x9cthis may fairly be\ndeemed to be a systematic and reliable review process.\xe2\x80\x9d\n\nOIG Response\nThis response provides no indication that anyone in the determination or review\nchain explicitly evaluates SECY Papers or SRMs against the FOIA automatic\ndisclosure criteria. In this regard, the reviews described by the agency are not\nsystematic or reliable because they do not specifically evaluate for FOIA automatic\ndisclosure determinations. In fact, discussions with staff and managers throughout\nthis audit determined that most were not familiar with the specific criteria for\nautomatic disclosures.\n\n\nNRC Comment on Page 5, Paragraph 3\n\nThe agency comments on OIG\xe2\x80\x99s assertion that \xe2\x80\x9csome SECY papers and SRMs that\nultimately affect the public are withheld from automatic disclosure without being\nsubject to a FOIA review\xe2\x80\x9d as being a circular argument, in that \xe2\x80\x9cOIG assumes what it\nsets out to prove, without any independent support for the veracity of the statement.\nThis charge may result from a misunderstanding of the agency\xe2\x80\x99s exercise of its\nauthority to make discretionary disclosure of documents that it otherwise has no\nobligation to release to the public.\xe2\x80\x9d\n\nOIG Response\nThe OIG reasoning is as follows. The agency has had no internal reviews to\ndetermine whether SECY Papers or SRMS are subject to automatic disclosure\nunder 552(a)(1) and (a)(2). Additionally, the agency has no established basis for\ncategorically exempting SECY Papers and SRMs from automatic disclosure\nconsideration. This lack of internal controls and lack of valid exemption creates a\nrisk that documents are improperly withheld. In support, the OIG report documents\n\n\n\n\n                                           36\n\x0c                                Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\ntwo cases where SECY Papers and SRMs would meet the FOIA automatic release\ncriteria. Absent evidence demonstrating that the remaining SECY Papers and\nSRMs are not subject to release, in whole or in part, it is more likely than not that\nother SECY Papers and SRMs were improperly withheld.\n\n\nNRC Comment on Page 5, Paragraph 4 and Top of Page 6\n\nThe agency response states that the \xe2\x80\x9cSECY paper at the center of this audit does\nnot purport to establish policy and is not an (a)(2) document.\xe2\x80\x9d Likewise, SRMs in\nresponse to SECY Papers often provide actions to be completed and they represent,\nfor the most part, works in progress. \xe2\x80\x9cIt should be clear, therefore, that since these\ndocuments are not the end result, it will be the rare SECY paper or SRM that will\nembody such statements of policy as are required to be published under (a)(1) or\nreleased under (a)(2).\xe2\x80\x9d\n\nOIG Response\nRegarding the SECY Paper analyzed in the OIG report, it is clear from the face of\nthe document that the staff was seeking policy guidance from the Commission. In\naddition, the \xe2\x80\x9cinstructions to the staff\xe2\x80\x9d provided in the associated SRM resulted in\nactions that in the staff\xe2\x80\x99s own words \xe2\x80\x9censure adequate protection of the public and\npromote common defense and security.\xe2\x80\x9d The finality of these determinations and\nthe nexus to public effect is clear. There is no additional information provided in the\nagency response that alters the OIG opinion regarding the applicability of FOIA\xe2\x80\x99s\nautomatic disclosure status to these documents.\n\nThe remaining analysis is largely a restatement of the agency\xe2\x80\x99s position that SECY\nPapers and SRMs generally do not contain policy. The agency response provided\nearlier (on page 5, 2nd paragraph) acknowledges the risk this poses, agreeing with\nthe DOJ expert cited in the OIG report. However, the agency\xe2\x80\x99s response admits that\nin some cases SECY Papers and SRMs will meet the automatic disclosure\nrequirements for FOIA albeit a \xe2\x80\x9crare\xe2\x80\x9d occurrence. The response provides no basis\nas to why this would be a \xe2\x80\x9crare\xe2\x80\x9d result. Without a structured document-by-document\nreview process this conclusion is not supported.\n\n\nNRC Comment on Page 6, 2nd Full Paragraph\n\nThe agency response states that several initiatives were undertaken to review the\napplication of FOIA criteria to security-related information and to provide \xe2\x80\x9cclarifying\nstaff guidance on criteria for withholding sensitive information\xe2\x80\xa6\xe2\x80\x9d One particular task\nforce \xe2\x80\x9cspecifically inquired into the Commission\xe2\x80\x99s obligations and authority under\nsubsection (a)(2) of the FOIA.\xe2\x80\x9d The agency summarizes in SECY-05-0091, \xe2\x80\x9cTask\n                                            37\n\x0c                               Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\nForce Report on Public Disclosure of Security-Related Information\xe2\x80\x9d that \xe2\x80\x9cunder 5\nU.S.C. \xc2\xa7552(a)(2), the NRC is not required to make publicly available records that\nhave no precedential value and do not constitute the working law of the agency.\xe2\x80\x9d\n\nOIG Response\nOIG acknowledges the agency\xe2\x80\x99s efforts to find an appropriate balance between its\ngoal of openness and the need to protect sensitive security-related information.\nHowever, the agency continues to erroneously equate a review for security\nsensitivity with a review for application of the FOIA requirements. In addition, the\nagency\xe2\x80\x99s response in this section does not address the need to review SECY\nPapers and SRM documents against FOIA\xe2\x80\x99s automatic disclosure criteria.\n\nThe cited task force report (SECY-05-0091) did note that wide discretion is available\nunder a Sensitive Information Screening Project (SISP) review of documents subject\nto the prompt disclosure requirements of 552(a)(2). Yet the task force report also\nstated that (regarding current staff practices with SISP reviews) "this approach does\nnot satisfy the requirements of FOIA." (The emphasis is in the original text of the\nreport.) Going further, the task force notes that SISP reviews do not undertake a\nredaction review whereas FOIA requires, "all reasonably segregable material that is\nnot exempt under the statute must be disclosed."\n\nMore recently, a senior agency attorney told the Commission that when an actual\nFOIA request is received, a determination of whether or not a document is exempt\nfrom disclosure is made by the officials assigned that responsibility (as opposed to\nthe staff\'s predetermination when creating a SECY Paper). The attorney added that\nin the security area, initial release designations \xe2\x80\x9cmight not necessarily be accurate\nbecause they\xe2\x80\x99re not undergoing legal review at that time.\xe2\x80\x9d\n\n\nNRC Comment on Page 6, 3rd Full Paragraph to Page 7\n\nThe agency response highlights a number of considerations to be given to the\nrelease of documents including homeland security and technical or security policy\nconsiderations. According to the response, determinations must be made on a\ncase-by-case basis. The section concludes that OIG disagreement with the\noutcome of these assessments is the basis of finding that \xe2\x80\x9can (a)(2) review was not\naccomplished.\xe2\x80\x9d\n\n\n\n\n                                           38\n\x0c                               Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\nOIG Response\nThis response provides no indication that anyone in the determination or review\nchain explicitly considered the SECY Papers and SRMs against the criteria for\nautomatic disclosure. The lack of review of this entire class of Commission decision\ndocuments against FOIA\xe2\x80\x99s automatic disclosure requirements underlies the OIG\nfinding.\n\n\nNRC Comment on Page 7, 1st Full Paragraph\n\nThe agency response states that the premature disclosure of internal deliberative\nexchanges between the Commission and the staff would send conflicting messages\nto the public about Commission policy still in the process of being formulated. The\nagency further states that the core purpose of the FOIA is to \xe2\x80\x9cshed light on the\nactivities of government, rather than to expose all the internal recommendations,\nopinions, and consultations that lead up to a final agency decision.\xe2\x80\x9d The agency\ncontends that the latter is the \xe2\x80\x9cvery nature of the communications involved in the\nSECY paper and the SRM that gave rise to this OIG audit.\xe2\x80\x9d\n\nOIG Response\nOIG recognizes the need for the exchanges between the staff and Commission and\ndoes not dispute the sensitivity of pre-decisional information. However, OIG\ndisagrees with the agency\xe2\x80\x99s contention that the SECY Paper and SRM which served\nas the basis for this audit were nothing more than pre-decisional exchanges. In fact,\nOIG found that the SECY Paper in question served as an end result in that it\npresented specific criteria which the agency used to assess licensees\xe2\x80\x99 security\nmeasures. The subsequent SRM served as the final implementing tool which\nsanctioned the agency\xe2\x80\x99s use of the proposed framework.\n\nThe agency\xe2\x80\x99s response in this section did not address the need to review SECY\nPapers and SRM documents against FOIA\xe2\x80\x99s automatic disclosure criteria. Further,\nin recognition that certain documents contain material appropriately subject to non-\ndisclosure, FOIA provides that a document may be redacted or fully withheld.\n\n\nNRC Comment on Page 7, 2nd and 3rd Full Paragraphs\n\nThe agency response states that it \xe2\x80\x9cvehemently\xe2\x80\x9d disagrees with the proposition that\nSECY Papers and SRMs may contain the \xe2\x80\x9csecret law\xe2\x80\x9d of the agency.\n\n\n\n\n                                           39\n\x0c                                Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\nOIG Response\nAgency action based on unpublished documents within the statutory scope of\nFOIA\xe2\x80\x99s automatic disclosure sections has been referred to in court decisions as\n\xe2\x80\x9csecret law\xe2\x80\x9d of the agency. The agency response states that NRC does \xe2\x80\x9cstrive to\navoid creating agency policy\xe2\x80\x9d through SECY Papers and SRMs but does\nacknowledge that such material may exist. OIG found that such material does exist,\nfurther supporting OIG\xe2\x80\x99s conclusion that SECY Papers and SRMs may have been\ninappropriately withheld from public disclosure.\n\n\nNRC Comment on Page 7, 3rd Full Paragraph\n\nThe agency response states that it agrees that there is no categorical exclusion of a\nclass or records such as SECY Papers and SRMs. With respect to the\nrecommendation that all such documents, previously unpublished, undergo some\nform of review, the agency states that \xe2\x80\x9cAt best it would be overkill. At worst, it would\nbe extraordinarily wasteful of agency resources.\xe2\x80\x9d\n\nOIG Response\nThe agency acknowledges the problem created by the failure to review documents\nby acknowledging that there is \xe2\x80\x9cno categorical exemption.\xe2\x80\x9d Without such an\nexemption the agency must have internal controls to establish a reasonable basis of\ncompliance. However, NRC has no internal controls for evaluating the applicability\nof 552(a)(1) and (a)(2) standards as they pertain to SECY Papers and SRMs and as\nsuch no reasonable basis for demonstrating compliance.\n\nCosts considerations cannot be used as a basis for non-compliance. OIG does not\nsuggest the specific means of evaluating documents and the report notes that DOJ\xe2\x80\x99s\nexpert suggested that the agency might benefit from some form of screening\nprocess.\n\n\nNRC Response to Recommendation 1, Bottom of Page 7, Top of Page 8\n\nThe agency agrees, in part, to this recommendation stating that the \xe2\x80\x9cagency\xe2\x80\x99s\nprocess provides amply for compliance with the FOIA\xe2\x80\x99s (a)(2) automatic disclosure\nrequirements\xe2\x80\x9d at the time of document creation. Yet, the agency believes \xe2\x80\x9cit may be\nappropriate to revise MD [Management Directive] 3.4 and Chapter II of the Internal\nCommission Procedures to include an explicit reference to screening SECY papers\nand SRMs for FOIA subsection (a)(2) considerations.\xe2\x80\x9d\n\n\n                                            40\n\x0c                               Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\nOIG Response\nThe agency recognizes that SECY Papers and SRMs have not previously been\nevaluated to determine the applicability of FOIA\xe2\x80\x99s automatic disclosure requirements\nwhich reinforces OIG\xe2\x80\x99s finding that full compliance with FOIA was jeopardized. OIG\nnotes that the current version of NRC\xe2\x80\x99s Management Directive 3.4, Release of\nInformation to the Public, states \xe2\x80\x9cThis directive does not govern public disclosure of\ninformation required by or requested under FOIA.\xe2\x80\x9d Therefore, it is imperative to\nrevise Management Directive 3.4 and the Internal Commission Procedures to\ninclude explicit reference to screening SECY Papers and SRMs for 552(a)(2)\napplicability.\n\n\nThe agency also agrees to designate a central authority or organization as\nresponsible for placing 552(a)(1) and (a)(2) documents on NRC\xe2\x80\x99s public web site.\n\nOIG Response\nThe agency\xe2\x80\x99s response does not address OIG\xe2\x80\x99s concern.\n\nAs noted in the draft report, NRC\xe2\x80\x99s Office of Information Services already has\nresponsibility for placing the releasable documents on the agency\xe2\x80\x99s public web site.\nOIG re-emphasizes its concern that the agency does not have a central authority or\norganization responsible for implementing a process designed \xe2\x80\x9cto identify\ndocuments subject to 552(a)(1) or (a)(2) automatic release, the subsequent\nredaction review of such documents, their release in whole or part, or the required\nindexing.\xe2\x80\x9d\n\n\nNRC Response to Recommendation 2 on Page 8\n\nThe agency disagrees with this recommendation to conduct a review of previously\nunpublished SECY Papers and SRMs for 552(a)(1) or (a)(2) applicability citing a\ncurrent \xe2\x80\x9crobust program\xe2\x80\x9d that ensures SECY Papers and SRMs \xe2\x80\x9care carefully\nexamined for public disclosure suitability under applicable law and policy.\xe2\x80\x9d The\nagency states that \xe2\x80\x9cno sensible purpose would be served\xe2\x80\x9d by a review of past\ndocuments and that a \xe2\x80\x9cgreat waste\xe2\x80\x9d of agency resources would result.\n\n\n\n\n                                           41\n\x0c                              Audit of NRC\xe2\x80\x99s Process for Releasing Commission Decision Documents\n\n\n\nOIG Response\nThe sensible purpose to be served by this recommendation is the agency\xe2\x80\x99s\nreasonable assurance of full compliance with the FOIA law.\n\nAs the OIG report establishes, none of the agency\xe2\x80\x99s current reviews evaluate SECY\nPapers or SRMs to ascertain whether they should be automatically disclosed under\nFOIA. The agency also does not identify any review that determines whether\nportions of SECY Papers or SRMs can be released, another requirement of FOIA.\nBecause there are no management controls directing the review of documents\nagainst the specific statutory requirements of FOIA automatic disclosure, the agency\nhas no basis of reasonable assurance of compliance with these statutory\nrequirements. In this regard, the agency response cites an example of non-\ncompliance but asserts, without evidence, that such an example would be rare.\n\nReleasing thousands of documents does little for public confidence if it is later\ndiscovered that even a small number of documents of great public interest and\nimportance were improperly withheld. This is especially the case when documents\nare withheld in whole and not identified in publicly available indexes. For these\nreasons, although the OIG report acknowledges that the NRC makes many\ndocuments available, resource strain does not serve as a basis for ignoring FOIA\nautomatic disclosure requirements.\n\n\n\n\n                                          42\n\x0c'